安恒对接H3C防火墙,SA都有,报Tunnel0错误
H3C 防火墙固定地址,做为中心节点,对端也是固定地址,配置主模式。
interface GigabitEthernet1/0/1
port link-mode route
ip address 39.185.89.166 255.255.255.0
ip last-hop hold
nat outbound 3999
ipsec apply policy qj-fw
gateway 39.185.89.1
acl advanced 3999
rule 1 deny ip source 192.166.0.0 0.0.255.255 destination 192.68.0.0 0.0.255.255
rule 2 deny ip source 192.68.0.0 0.0.255.255 destination 192.166.0.0 0.0.255.255
rule 100 permit ip
ipsec logging packet enable
ipsec sa global-duration time-based 28800
#
ipsec transform-set qj-fw_IPv4_10
protocol ah-esp
esp encryption-algorithm aes-cbc-256
esp authentication-algorithm sha256
ah authentication-algorithm sha256
pfs dh-group14
#
ipsec policy-template qj-fw 10
transform-set qj-fw_IPv4_10
local-address 39.185.89.166
ike-profile qj-fw_IPv4_10
sa duration time-based 28800
#
ipsec policy qj-fw 10 isakmp template qj-fw
#
apr signature auto-update
update schedule daily start-time 02:00:00 tingle 120
#
ike profile qj-fw_IPv4_10
keychain qj-fw_IPv4_10
local-identity address 39.185.89.166
match remote identity address 0.0.0.0 0.0.0.0
match local address GigabitEthernet1/0/1
proposal 10
#
ike proposal 10
encryption-algorithm aes-cbc-256
dh group14
authentication-algorithm sha256
#
ike keychain qj-fw_IPv4_10
match local address GigabitEthernet1/0/1
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$9XWHnc3BqgAFesTD9O+O0kmmeQ0WGBfFFQ==
#
<▒▒▒ǽ-ǧ▒▒-▒▒▒▒>dis ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
167 39.172.55.127/500 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
<▒▒▒ǽ-ǧ▒▒-▒▒▒▒>dis ips
<▒▒▒ǽ-ǧ▒▒-▒▒▒▒>dis ipsec sa
-------------------------------
Interface: GigabitEthernet1/0/1
-------------------------------
-----------------------------
IPsec policy: qj-fw
Sequence number: 10
Mode: Template
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy: dh-group14
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Responder
Path MTU: 1396
Tunnel:
local address: 39.185.89.166
remote address: 39.172.55.127
Flow:
sour addr: 192.166.69.0/255.255.255.0 port: 0 protocol: ip
dest addr: 192.68.69.0/255.255.255.0 port: 0 protocol: ip
*Oct 30 15:03:04:464 2024 ▒▒▒ǽ-ǧ▒▒-▒▒▒▒ IPSEC/7/ERROR:
Tunnel0: Failed to check source address because of valid address.
*Oct 30 15:03:09:464 2024 ▒▒▒ǽ-ǧ▒▒-▒▒▒▒ IPSEC/7/ERROR:
Tunnel0: Failed to check source address because of valid address.
*Oct 30 15:03:14:464 2024 ▒▒▒ǽ-ǧ▒▒-▒▒▒▒ IPSEC/7/ERROR:
Tunnel0: Failed to check source address because of valid address.
*Oct 30 15:03:19:464 2024 ▒▒▒ǽ-ǧ▒▒-▒▒▒▒ IPSEC/7/ERROR:
Tunnel0: Failed to check source address because of valid address.
*Oct 30 15:03:24:464 2024 ▒▒▒ǽ-ǧ▒▒-▒▒▒▒ IPSEC/7/ERROR:
Tunnel0: Failed to check source address because of valid address.
*Oct 30 15:03:29:464 2024 ▒▒▒ǽ-ǧ▒▒-▒▒▒▒ IPSEC/7/ERROR:
Tunnel0: Failed to check source address because of valid address.
*Oct 30 15:03:34:464 2024 ▒▒▒ǽ-ǧ▒▒-▒▒▒▒ IPSEC/7/ERROR:
Tunnel0: Failed to check source address because of valid address.
*Oct 30 15:03:39:464 2024 ▒▒▒ǽ-ǧ▒▒-▒▒▒▒ IPSEC/7/ERROR:
Tunnel0: Failed to check source address because of valid address.
*Oct 30 15:03:44:464 2024 ▒▒▒ǽ-ǧ▒▒-▒▒▒▒ IPSEC/7/ERROR:
Tunnel0: Failed to check source address because of valid address.
*Oct 30 15:03:49:464 2024 ▒▒▒ǽ-ǧ▒▒-▒▒▒▒ IPSEC/7/ERROR:
Tunnel0: Failed to check source address because of valid address.
*Oct 30 15:03:54:464 2024 ▒▒▒ǽ-ǧ▒▒-▒▒▒▒ IPSEC/7/ERROR:
Tunnel0: Failed to check source address because of valid address.
*Oct 30 15:03:59:464 2024 ▒▒▒ǽ-ǧ▒▒-▒▒▒▒ IPSEC/7/ERROR:
Tunnel0: Failed to check source address because of valid address.
*Oct 30 15:04:04:464 2024 ▒▒▒ǽ-ǧ▒▒-▒▒▒▒ IPSEC/7/ERROR:
Tunnel0: Failed to check source address because of valid address.
*Oct 30 15:04:09:464 2024 ▒▒▒ǽ-ǧ▒▒-▒▒▒▒ IPSEC/7/ERROR:
Tunnel0: Failed to check source address because of valid address.
*Oct 30 15:04:14:464 2024 ▒▒▒ǽ-ǧ▒▒-▒▒▒▒ IPSEC/7/ERROR:
(0)
最佳答案
根据您提供的日志信息,IPSec隧道遇到了问题,具体错误信息表明在检查源地址时失败,因为提供的地址被视为有效地址。这种情况可能是由于配置错误或者IPSec策略不匹配引起的。请检查IPSec策略的源地址和目的地址设置,确保它们与您的网络环境相匹配。如果问题依然存在,可能需要进一步的网络设备配置审查或者与设备供应商的技术支持联系。
(0)
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论